Prototype Video: Introduction to Basic WordPress

By David Innes, | August 10, 2016

This is the first video I recorded while trying out a screen-casting app.  You know what?  I admit it’s a little goofy, and a little out of date, and I didn’t know what to do with my hands.  But you know what else?  It’s still a pretty good introduction to WordPress!  And a good introduction to how I work with clients, especially over the phone.

What’s covered:

  • How to find the login page when they’re no link
  • What you can expect to see on the WordPress dashboard
  • How to navigate between the dashboard and the public website
  • How to navigate to pages and edit them.
  • Review

The video is a little less than 11 minutes long.


Our Web Hosting Recommendations for 2016

By David Innes, | August 10, 2016

We’re able to work with almost* all hosting companies the following companies are well regarded in the industry for speed and service, and not known for either limiting service to get you to upgrade or for other sales-driven annoyances.

SiteGround The basic StartUp package would be good for your crisis management site but if you’re planning to have more than one site then their GrowBig package isn’t that much more expensive and it’s got… well… room to grow big!  We particularly appreciate that SiteGround was one of the first hosting companies to offer free, one-click, automatically-renewing Let’s Encrypt security certificates.


DreamHost They don’t have “special” introductory offers but then they don’t nickel and dime you later.  Their basic shared hosting is great — we’ve used it for years.  We haven’t tried their more expensive but theoretically more reliable dedicated WordPress service.  We don’t think you’d need it, but do read their materials just in case.

WPEngine logo

WPEngine The folks at WPEngine offer highly-dedicated, optimized, and secure, highly scaleable, and actively managed hosting specifically for WordPress websites.  They’re great for mission-critical, revenue-generating sites that have to stay up even under very heavy loads.  They’re pricier than our other recommendations but we’ve had good experiences with our clients who choose WPEngine.  Note: Unlike typical shared-hosting companies they don’t offer domain registration, email hosting or other amenities.  Since we recommend that our customers host their email with an independent email provider (Gmail/Gsuite, Microsoft 365, etc.) we don’t feel this is necessarily an obstacle.


Update: We no longer recommend hosting plans that don’t include free basic SSL/TLS security certificates. As of Google’s deadline of October 1 (they’re now downrating and warning users about sites without security certificates) some of our previous recommendations still don’t offer this now-basic service.

Site5 Their hostBasic and hostPro are comparable in service to SiteGround’s StartUp and GrowBig packages.  I’m not (yet) personally familiar with Site5 but they keep showing up at or near the top of (uncompensated) industry recommendations.

Note: If for any reason you’re concerned that we’ve used affiliate links in our recommendations, above, we’d like to offer an alternative.  We stand by our recommendations with or without the no-cost-to-you commissions we receive here are non-affiliated links if you’d like to use those instead:,

* By “almost” we mean not GoDaddy or a handful of small, older, privately-operated hosting companies.


WordPress vulnerabilities compared to Google, Apache, MySQL

By David Innes, | August 2, 2016

Graph shows WordPress vulnerabilities are comparable to other major software producers

Vulnerabilities graph from WPWhiteSecurity.

We’re very aggressive about fixing vulnerabilities in our client’s WordPress websites. We monitor multiple security sites to make sure we stay informed so we can apply fixes as soon as possible.

Does that mean WordPress in inherently vulnerable? Is its reputation deserved? As the graph from the white-hat security firm WP White Security shows the answer to both questions is no. More popularity and more scrutiny means the flaws inherent in all large software projects are found more quickly. And can be fixed more quickly.

Here’s their take. It’s one I share:

What does the above mean? So far more vulnerabilities have been reported for Drupal and Google products than for WordPress, its plugins and themes. Apache is not far and MySQL server, one of the most widely used database server has had nearly 600 vulnerabilities so far. Yet no software got the same bad reputation as WordPress did; Google is still the number one search engine and their products are used by millions of people from all over the world. Apache is always the first or second most used web server in the world, competing with NginX.

Read the entire post at WP White Security

So if WordPress’s reputation is undeserved does this mean we can all go to sleep? Um, no. Just like you still probably want to lock your office door when you leave for the night you still want to keep all your web-based software up to date, backed up, and security scanned too. Not just WordPress but your server software too — your web server, your database software, your language processors, the works.

But want to know a secret? The WordPress community makes it pretty easy to keep your site safe and secure. While it can be a real toothache updating your server software (you’d be surprised how many hosting companies fall down on this job) WordPress has gone out of its way to make security updates public, available, and relatively simple to maintain. There are wonderful backup and security plugins, many of which also update themselves. And (not to blow our own horns or anything) there are countless companies large and small that can manage everything for you.


Ideal Clients: Successful bloggers who don’t backup their sites

By David Innes, | July 15, 2016

A bike mechanic helps a cyclist get back on the road.

Image Roadside Assistance thanks to Flickr user Stuart-Buchanan used under a Attribution-NoDerivs License

A lot of bloggers start out almost on a lark and discover they love what they’re doing… and that their readers love them too.  Blogging successfully is it’s own job.  Constantly coming up with new content can be exhilarating and rewarding, but it can also be exhausting and time consuming.

It’s hard to shift gears away from the social and personal work of content, comments, and community to the under-the-hood annoyances of backups, updates, and security scans.

Do you know a blogger who’s been saying “yeah, I should really make a backup…” for the last 14 years?  Are you a blogger who’s got a lot invested in their site.

It’s sometimes hard for a great content creator to think about protecting their investment when they’re busy building it!  But at RealBasics it’s not hard for us — it’s our job, sure, but it’s also our commitment!

We’re not just able to help, we’re happy to!


Noooo! A blogger went 14 years without backing up… and now it’s gone

By David Innes, | July 14, 2016

Backup! photo by Flickr user

Image thanks to Flickr user tacker used under a Attribution-NoDerivs License

One of the first pillars of website security… no the first pillar of website security: make frequent backups.  Make backups early and often.  Make backups because annoying things can happen to your server.  Make backups because bad things can happen to your accounts.  Make backups because catastrophic things can happen to your entire 14 years of literary and artistic creativity!

Did I say make backups enough times in the preceding paragraph?  No I did not because it’s not possible to say it often enough!

The story’s making the rounds on literary, news, and tech blogs.  In a nutshell in 2002 an artist, Dennis Cooper, started a blog on what is now Google’s Blogger network.  The terms of service were much lighter in 2002.  Cooper’s content was evidently deemed to violate Google’s latest terms of service for Blogger and so they deleted his account and accompanying email.  Sidestepping any questions of propriety, terms of service, censorship, artistic freedom, etc., tech blogger Nate Hoffelder points out that Cooper’s real mistake was to go 14 years without a backup.  Hoffelder’s take?

I know they’re blaming Google here, but the fault really  lies with Cooper.

He’s the one who didn’t back up his blog.

Many people have encountered similar problems when other cloud platforms have shut down in the middle of the night (taking user data with them), been attacked (and lost user data in the attack), or for one reason or another kicked users off of a platform with no warning.

This is a known problem with using online services, and those who don’t plan for it only have themselves to blame.

Source: The Digital Reader

The other day I spoke with a different blogger, himself a respected artist with years of work on his site.  Again, he’d never made a backup!  Yes, he at least owns his own data.  But his hosting company isn’t exactly famous for making or keeping backups for its customers.

This is… risky.

Make backups.

Make backups early.

Make backups often!

If you’ve regular off-site backups it’s only inconvenient if your site goes down, or if hackers vandalize it, or if your service goes dark.  If you don’t have a backup you’re [insert words that would get y0ur mouth washed out with soap.]


The Feds just cracked down on a major “Tech Support” scam

By David Innes, | July 8, 2016

You know those alarming “your computer is infected” popups you get when you visit seemingly un-related websites?  The folks at Consumer Report’s Consumerist blog have some good news for inexperienced internet users

Screen shot of a typical, allegedly deceptive popup via

Screen shot of a typical, allegedly deceptive popup via

Here’s a good rule of thumb: if a window pops up on your computer alerting you that your device has been compromised by a malware attack and offers to fix the problem by calling a toll-free number, there’s a good chance it’s a scam. To that end: federal regulators and the state of Florida have accused an international tech support operation of bilking millions of dollars from American consumers.

The Federal Trade Commission and the Florida Attorney General’s Office announced Friday that they have filed a complaint against several tech support operations in Florida, Iowa, Nevada, and Canada, accusing the companies of deceiving consumers on the security of their computers.


Good timing because by coincidence…

  1. Just last week had I spent time helping my wife rid her Mac of a particularly hard to remove “utility suite.”  The culprit?  She’d innocently clicked “check my computer” after one of those #%!#% prompts and received a rats nest of interconnecting applications where each time you’d delete one another app in the suite would re-install it.
  2. Just last week I cleaned up a former client’s website that was injecting exactly those sort of malware/malvertising popups on their site.  Ironically the infection had arrived via an update to a compromised “security” plugin!

Just a reminder that actual reputable computer security firms don’t have to resort to bogus alerts or compromised plugins to get customers.  In fact reputable security firms spend a surprising amount of time cleaning up after the bogus ones.


Quick video tutorial: adding internal and external links to a page or post.

By David Innes, | July 7, 2016

I was about to record my own video to show how to add internal and external links in the latest version of WordPress when I stumbled across this short video by Dave at WP Smackdown.  He demonstrates how to add internal links (to another page) and external ones (to other sites.) it’s less than two minutes long.

Oh, one note: the narrator says to press Ctrl+K (or Cmd+K on a Mac) but you can also click the little chain-link icon in the toolbar. (You see it highlighted after he presses Cmd+K in the video.)

Check it out and let me know what you think.


Ever Say “Our Site Needs Work But… It’s Fine?”

By David Innes, | June 22, 2016

Unpaid Blogger photo by Flickr user

Image thanks to Flickr user Kevin Krejci used under an Attribution License

“Yeah, I’ve got a website. It needs a little work but… it’s fine.”

You ever feel that way when someone asks if you’ve got a website?  Ever hear someone else say it when you ask them?




There are a million reasons someone’s website is “fine” instead of fantastic.  And, as they say, you only need one!

Sometimes it’s because you don’t have time.  Sometimes you know what you want your site to do but you just don’t know how to do it.  Sometimes it’s just sloooooowww.

If you find yourself in that position you’re an ideal client.  If we don’t have the time we’ll make it.  We know how to make your site do what you want it to.  And we can help speed it up too.

And while we’re at it we’ll protect it, keep it backed up, keep your software up to date, and make sure it’s up and running too!

We’d love to hear from you!


Anti-Phishing Tip: Only Renew Your Domain With the Company You Registered With

By David Innes, | June 21, 2016

Money on a Hook photo by Flickr user

Image thanks to Flickr user Tax Credits used under an Attribution License

The security experts at Securi are calling attention to the latest version of a 15-year-old scam where you’re invited to “renew” your domain registration… but wind up transferring your domain to someone else.  Usually for more money.

When I received a letter in the mail asking me to renew my domain name, I immediately recognized it as a scam. The letter was designed to look like a bill, even including a return envelope for me to send payment to a company called iDNS Canada. I’d never heard of them before.

It’s also worth noting that these kinds of “offline scams” prey on people who inherently distrust doing business on the internet. Some people consider offline communication to be more more trustworthy. Everyone expects spam in their inbox, but not in their mailbox.

Source: Sucuri blog

Bottom line: Only renew your domain registrations with, you know, your actual domain registrar.  Even if your postal worker delivers the “bill” in a paper envelope.


Secure Your Site, Save Money With Let’s Encrypt Security Certificates

By David Innes, | June 13, 2016

From the tech web coming CommitStrip --

From the tech web comic CommitStrip.

For decades website owners who wanted to secure their sites and protect their users had to pay for complicated, often unwieldy security certificates.  Because they were really hard to implement site owners didn’t just have to pay the issuing certificate authority, they often had to pay their hosting companies as well.  Annually.

Late last year a new technology initiative called Let’s Encrypt was released.  Backed by various well-heeled players including the Electronic Frontier Foundation, the Mozilla Foundation, Akami and WordPress, Cisco Systems, and others, Let’s Encrypt provides free and very easy to use certificates for anyone who needs or even just wants one!

Ok, so what’s a Let’s Encrypt security certificate?  According to Wikipedia…

Let’s Encrypt is a certificate authority that launched on April 12, 2016 that provides free X.509 certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites.

According to regular folks it’s a nice tool that makes it much harder (nothing is impossible) but much, much harder for hackers to skim usernames, passwords, email, credit card information, form data, and more.  This is particularly useful if you use public WiFi or similar shared connections in coffee shops, hotels, airports, and such.

Since it’s come out we’ve been routinely adding free Let’s Encrypt certificates to new customer’s sites for free when their hosting companies make it easy to do so.

Not all hosting companies offer Let’s Encrypt.  Not yet anyway.  Many of them don’t because it’s a bit of a pain.  Others don’t because, understandably, they don’t want to give up a revenue source that’s often higher per customer than their actual yearly hosting plans!  Still others are waiting for updates from cPanel, Plesk, WHM, and other host-management console vendors.  And some providers of very high-end hosting argue that while, yes, you do get much better security from Let’s Encrypt their customers are better served by paying full price for a “signed certificate” that not only provides security but also verifies that the owner of the certificate is who they say they are.  And yes, if you’re one of the small number of website owners who need not just to secure your connection but to verify and validate your identity you really do need more than Let’s Encrypt.

For everyone else?  Yeah, Let’s Encrypt is more than good enough.  It’s a very big deal.

Don’t get me wrong.  I’m not knocking hosting companies that don’t make Let’s Encrypt certificates easy to add.  But I am appreciating hosting companies that do.

Two companies we recommend started doing it right out of the gate. (Please note that if we use the service ourselves, and we also recommend to our customers, then we’re using affiliate links for those services.  The price will be the same for you whether you use our links or find them on your own.)  Both of those have the Let’s Encrypt built right into their control panels.  Both will set you up with a certificate in just a couple of clicks.

But while SiteGround and Dreamhost might have been the first to offer Let’s Encrypt, they’re no longer the only ones.  There’s an up-to-date list on GitHub.  I’m really glad to see the list continues to grow.